Data breach: FAQs February 2019
We're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts. We’ve tried to provide answers to your most common questions about this breach here and we’ll be updating this page as new info arises.
Page last updated: 3pm Monday 11 February.
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February. During this time, when two users logged in simultaneously, one of them may have gained access to the other’s account. We have now identified that this happened on 46 occasions.
Why has this happened?
A bug in the software for a new user service released on Tuesday 5 February was the cause. We reversed that change on the morning of Thursday 7 February. Since then there have been no further incidents.
How did Mumsnet find out this was happening?
On the evening of Wednesday February 6, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.
How many people are affected?
We’re now as confident as we can be that the total number of users affected is 44 (2 accounts were breached twice, bringing the total occasions to 46). We have emailed these users directly.
What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages
They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.
What have you done about it so far?
We’ve reversed the software change that was made on Tuesday, and on Thursday we forced all logged-in Mumsnet users (including those using the Talk app) to log out. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.
What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will update this page and post on the site. We have identified the users whose accounts were wrongfully accessed, by running software to interrogate the server logs in depth. We have informed those affected directly.
Do I need to do anything?
You do not need to do anything. We have reversed the change that caused the problem.
Were any accounts “switched”?
This is what happened after the software release on Tuesday:
When two people log in at the same time, there is a very small delay between them (milliseconds), and the first person to login (user A) was sometimes given the account of the second user (user B).
User B logged into their own account as normal; they were NOT given user A’s account.
This happened on 46 occasions before we reversed the software and logged everyone out.
As soon as we identified all user Bs, we emailed them directly to explain that their account had been breached.
We have also emailed user As to let them know they were accidentally logged in to someone else's account.
Why did it take so long for me to get an email?
The general mail telling users about the breach went out in batches. There were about a million to be sent and if we sent them faster there was a high possibility they’d be viewed by some recipient servers as an attack or spam and be blocked. All emails should now have been delivered.
Will I get a mail even if I ticked the box asking not to receive them?
I had to log back in. Does the fact I was logged out mean that my data has been breached?
No. We forced a logout on site over the course of Thursday 7 February. This affected everyone and was intentional. It does not mean your account was accessed wrongfully or that your data is at risk.
I use social logins (Facebook or Google) to log in to Mumsnet. Is my account safe? Was I logged out?
If you use social logins (eg Google or Facebook) to log in to Mumsnet, and you were logged in to Google/Facebook at the time we forced users out, those services may not have required you to manually re-enter your login details. Similarly, if you use Chrome or Lastpass or some other service that remembers your logins for you, your login details may have been auto-filled by those services when you were required to log back in to Mumsnet. However, EVERY SINGLE logged-in user was forced out of Mumsnet. Even where social logins took users straight back in, no user will have been logged back in to the wrong account.
Was the App or Gransnet affected?
No, those who solely use the Talk and Pregnancy app and those who use only Gransnet are not on the same user service, so this doesn’t apply to them.
Why was I forced to login again on the App if it wasn’t affected by the breach?
Many users were concerned that they hadn't been asked to re-login. So for consistency, we forced users to re-login on both site and app across all devices. This is also considered best practice.
I’ve been logged out and now I can’t log back in. Help!
Please try resetting your password by going here: www.mumsnet.com/password-reset/reset. Remember that this is a time-limited request so you'll have to change your password within 30 minutes of clicking on the link, without changing the device (phone, laptop, PC, Mac etc) you're using to access Mumsnet. And do remember to look for the reset email in your Spam folder as it may end up there. If you are on a mobile device and are getting the message “The following problems prevented us from resetting your password” but no more information, this is an issue our tech team are aware of. We’re very sorry, but you’ll need to try resetting your password on a desktop or laptop. If you no longer have access to the email address you used to register and this is stopping you from making progress, please email us on email@example.com. (We’re expecting a lot of queries over the next few days so it may take us a little while to get back to you; please bear with us.)
I changed my password, but it's only accepting my old password
This issue is not related to the breach. There was a bug on the mobile site that meant users got a mistaken “You have been successful” message when they tried to change their password. On the afternoon of Monday 11 February, we fixed this on the mobile site. The option to change your password has always worked on the desktop site.
It’s not a password issue. I definitely know my password. I just can’t log in.
Some users are having difficulties logging in on older versions of Chrome. If this sounds like you, it may help to clear your cache, update your browser or try using a different browser. If that still doesn’t help, please email us on firstname.lastname@example.org.
I’m really worried that someone may have accessed the personal info in my account.
We’re really sorry that our mistake has caused anxiety and we do understand why some MNers will be really worried by this. There is no evidence that anyone whose account was logged into has done anything malicious, but of course we cannot be sure until we have tracked down and investigate every incidence and every log and contacted the affected posters – we are working very hard to close this down as quickly as possible. If you're at all worried please mail email@example.com.
Have you reported yourself to ICO?
Yes, we did so on Thursday 7 February.
I've had an email from Mumsnet about this, but it wasn’t sent to the email that is registered with my Mumsnet account. What’s going on?
We’ve had this enquiry from a few users. In all the cases we’ve looked at so far, the email address that received the message is indeed registered with Mumsnet and has an account, but was often registered some time ago and is not actively used. The email will also be sent to the email account associated with the Mumsnet account you use more often. We’re sorry that the emails are taking so long to be delivered – it’s because we’re sending around a million emails, and we have to limit the batches otherwise they risk being identified as spam and not being delivered at all.
Why does the email say that something happened “last night” or “this morning”?
The breach occurred between 2pm of Tuesday 5 February and 9am on Thursday 7 February. We should have used specific dates in the email, but we didn’t expect them to take longer than a day to be delivered. We changed this wording in the email batches sent out on Saturday. All emails have now been delivered.
Was this a hack?
No. This problem was caused by a software bug that wasn’t picked up in our user and service testing. We’ve got no reason to think anyone accessed anyone else’s account deliberately or with malicious intent.
I’m getting weird telephone calls/spammy emails. Have you ever sold my email address or telephone number to a third party without my express permission?
Why are some of my nicknames duplicated in my list of usernames?
This is not related to the breach. The site was originally set up to show a history of nicknames, so you might have seen duplicates in that list. People commented on this and it was clearly causing confusion and concern, so we have released some software changes over the past few days to try to simplify this. Changes to your nickname list in the past few days are due to these software releases.
If you refresh the page, it should now show an alphabetised list of your nicknames, with no duplicates.
If you think you've seen a nickname that you haven't used before, please email firstname.lastname@example.org to tell us which username is wrong, including a screenshot, and we will look into it.
Is Mumsnet’s Tech up to scratch?
There’s no denying that Mumsnet’s platform needs upgrading (we’ve been going for a lot longer than most). It’s also a single application, a monolith and we have a lot of users (14m monthly uniques according to Google analytics). Its size and complexity make it difficult to update and improve and so we are in the process of re-platforming our legacy systems: moving from a monolith to microservices, to the cloud as well as standardising our code base. This approach is considered good practice. The change we made on Tuesday was part of this process of moving from a single application to multiple smaller services. Unfortunately as you know we didn’t execute this particular change well – there was a bug in the code which did not show up in our user and systems testing and we need to learn from that.
Does Mumsnet HQ have a tech team of sufficient size to deal with this?
We have and are investing heavily in the team and infrastructure – around 125% and 60% increase in spending on each respectively over last year and this. We currently have 12 full time developers and plan to hire another 3 this year. In monetary terms our spend is around £1m per annum on our Tech, product and data teams combined.
We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached – please mail us on email@example.com if you’d like to discuss your individual account details.